Appengine Flex 服务帐户权限不足,无法访问 Drive 文件夹
Insufficient Permission with Appengine Flex service account to access Drive folder
我编写了一个应用程序,它使用了官方记录的所有 clients/sdks。
credentials = GoogleCredentials \
.get_application_default() \
.create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
'drive',
'v3',
http=self.credentials.authorize(Http())
)
drive.files() \
.get(fileId=file_id) \
.execute()
它在本地使用从面板生成的服务帐户完美运行,但是当我部署应用程序时,AppEngine 柔性环境中的服务帐户遇到问题。
17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account.
17:15:04.000 Using this argument will have no effect on the actual scopes for tokens
17:15:04.000 requested. These scopes are set at VM instance creation time and
17:15:04.000 can't be overridden in the request.
17:15:04.000
17:15:04.000 warnings.warn(_SCOPES_WARNING)
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest
17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json
17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id@appspot.gserviceaccount.com
17:15:04.000 Traceback (most recent call last):
17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get
17:15:04.000 .execute()
17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper
17:15:04.000 return wrapped(*args, **kwargs)
17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute
17:15:04.000 raise HttpError(resp, content, uri=self.uri)
17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission">
我检查了权限,它们都已设置。问题可能是由于 "Using this argument will have no effect..." 消息引起的,该消息在尝试创建作用域凭据时出现。
正如您在之前的评论中提到的,这是一个 known issue. As described by araf...@google.com,灵活环境中的 App Engine 实例似乎将 Uderlying GCE VM 的凭据假定为应用程序默认凭据。
As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications.
对于受此问题影响或解决方法无效的任何人,请post said issue 上的任何相关信息。
我编写了一个应用程序,它使用了官方记录的所有 clients/sdks。
credentials = GoogleCredentials \
.get_application_default() \
.create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
'drive',
'v3',
http=self.credentials.authorize(Http())
)
drive.files() \
.get(fileId=file_id) \
.execute()
它在本地使用从面板生成的服务帐户完美运行,但是当我部署应用程序时,AppEngine 柔性环境中的服务帐户遇到问题。
17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account.
17:15:04.000 Using this argument will have no effect on the actual scopes for tokens
17:15:04.000 requested. These scopes are set at VM instance creation time and
17:15:04.000 can't be overridden in the request.
17:15:04.000
17:15:04.000 warnings.warn(_SCOPES_WARNING)
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest
17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json
17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id@appspot.gserviceaccount.com
17:15:04.000 Traceback (most recent call last):
17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get
17:15:04.000 .execute()
17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper
17:15:04.000 return wrapped(*args, **kwargs)
17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute
17:15:04.000 raise HttpError(resp, content, uri=self.uri)
17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission">
我检查了权限,它们都已设置。问题可能是由于 "Using this argument will have no effect..." 消息引起的,该消息在尝试创建作用域凭据时出现。
正如您在之前的评论中提到的,这是一个 known issue. As described by araf...@google.com,灵活环境中的 App Engine 实例似乎将 Uderlying GCE VM 的凭据假定为应用程序默认凭据。
As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications.
对于受此问题影响或解决方法无效的任何人,请post said issue 上的任何相关信息。